The URL can be used to link to this page

Home My WebLink AboutAudit Reports - Public - Mobile Devices - Audit Follow-up - 1/16/2018'&& GLEN14City Auditors Office Memorandum Date: January 16, 2018 To: Kevin R. Phelps, City Manager From: Candace MacLeod, City Auditor Subject: Audit Follow-up: Mobile Devices In November 2016, the City Auditor's Office completed a citywide mobile device audit. The purpose of the audit was to verify whether the mobile device program meets the City's needs in an efficient and effective manner. The audit also assessed if wireless access to the City's network and data is adequately safeguarded. The audit included 26 recommendations to strengthen controls over mobile devices. Management concurred with all the recommendations and estimated that action plans to address them would be developed by October 31, 2017. In December 2017, an audit follow-up was performed. Out of the 26 recommendations, 18 remain open with an estimated completion date of March 30, 2018. The open items include: • Implementing a citywide policy that addresses the management of mobile devices • Developing controls to ensure only authorized devices access the City's network • Safeguarding, minimizing or eliminating the storage of City data on mobile devices • Monitoring mobile devices to identify those on the wrong plans or with zero usage • Consolidating service providers and instituting citywide standards for voice and data plans, equipment, and accessories Please contact me if you have any questions. Attachment cc: Michael D. Bailey, City Attorney Jim Brown, Director of Human Resources and Risk Management Lisette Camacho, Assistant Director of Budget and Finance Tom Duensing, Assistant City Manager Jack Friedline, Assistant City Manager Chuck Murphy, Director of Innovation and Technology Vicki Rios, Director of Budget and Finance City Auditor's Office 1 Mobile Device Audit Follow-up Management Response Management Response Recommendation February 2017 December 2017 Status 1.1 The City Manager's Office Concur. The CMO will The City currently utilizes Open (CMO) implement a work with the Budget the City -Paid Mobile citywide mobile device and Finance Electronic Devices or policy which addresses Department to update Reimbursement Finance the management of the City's mobile Administrative Policy mobile devices device policy by June (FAP) No. 4, revised 30, 2017. June 10, 2014, and Innovation & Technology Mobile Device Policy, revised November 2017. For network access being controlled by the City, IT is currently evaluating a virtual mobile workspace solution. A product recommendation will be made by March 30, 2018. 1.2 Innovation and Concur. IT is currently IT has been delayed in Open Technology (IT) evaluating a virtual the evaluation of Virtual implement controls to mobile workspace Mobile Workspace ensure only authorized solution that will control technology due to mobile devices access mobile device access competing priorities. the City's network. to City networks and The revised keep City data within recommendation date the City's datacenter. will be March 30, 2018. Product recommendation by August 31, 2017. 1.3 IT review and update Concur. IT is currently The Mobile Device Closed policies relating to updating its policies Policy has been mobile device access to related to device updated to reflect that the City network and access to the City only devices that have train staff. network. All devices will been registered with IT need to be approved will be allowed to by IT based on their connect to the City's ability to be network. appropriately secured and updated. Policy developed by August 31, 2017. 2.1 IT implement controls to Concur. IT is currently IT has been delayed in Open safeguard, minimize or evaluating a virtual the evaluation of Virtual eliminate the storage of mobile workspace Mobile Workspace City data on mobile solution that will technology due to devices during the eliminate the competing priorities. employment lifecycle of unintentional storage The revised City personnel. of City data on mobile rerecommendation City Auditor's Office 1 Mobile Device Audit Follow-up City Auditor's Office 2 Mobile Device Audit Follow-up devices. Providing VMI date will be March 30, budget is approved, 2018. tentative implementation by October 30, 2017. 2.2 IT update policies and Concur. City policies Closed procedures relating to will be updated by the disposal of mobile October 30, 2017. devices and train staff. however, per the updated Mobile Device Policy, users with City - owned devices must complete a Cell Phone Disposal Form and submit it to the Materials Control Warehouse. 2.3 Human Resources (HR) Concur. HR will update The exit interview form Closed update the HR Exit the exit interview was updated on Interview Checklist with checklist to include November 16, 2017 and an attestation that City wiping City data from is on the HR website. A data has been removed City -issued or personal memo was sent to from City -owned or mobile devices. The department heads on personal mobile devices supervisor is responsible November 17, 2017. upon termination of for signing the form employment. and sending to HR for the file. HR will also send the revised exit interview form to department heads informing them of this new requirement and reminding them to complete the form and send to HR upon an employee's termination. 3.1 The CMO ensure City Concur. The CMO will The CMO has reviewed Open Council approval is work with the Budget the procedures for obtained prior to and Finance controlling mobile exceeding authorized Department to review device spending with expenditure authority. its procedures Budget and Finance regarding expenditure and currently monitoring by June 30, expenditures paid 2017. against a purchase order and procurement cards are being analyzed to ensure expenditures are authorized. Additionally, the planned Enterprise Resource Planning City Auditor's Office 2 Mobile Device Audit Follow-up City Auditor's Office 3 Mobile Device Audit Follow-up software application has the ability to apply accounts payable expenditures and procurement card expenditures against the some purchase order. Staff is currently evaluating this functionality. The CMO will work with Budget and Finance to evaluate whether cell phone service should be exempt from the PO process by March 30, 2018. 3.2 The CMO ensure Concur. The City The CMO has reviewed Open contracts are monitored Manager's Office will the procedures for and renewed, as work with the Budget controlling mobile appropriate, prior to their and Finance device spending with termination date. Department to review Budget and Finance its procedures and currently regarding contract expenditures paid monitoring by June 30, against a purchase 2017. order and procurement cards are being analyzed to ensure expenditures are authorized. Additionally, the planned Enterprise Resource Planning software application has the ability to apply accounts payable expenditures and procurement card expenditures against the same purchase order. Staff is currently evaluating this functionality. The CMO will work with Budget and Finance to evaluate whether cell phone service should be exempt from the PO process by March 30, 2018. 4.1 Budget and Finance Concur. The Budget The Budget and Open review and update FAP and Finance Finance Department City Auditor's Office 3 Mobile Device Audit Follow-up City Auditor's Office 4 Mobile Device Audit Follow-up No. 4, including clarifying Department will work will work with the City minimal personal use of with the City Manager's Office to City -owned devices, and Manager's Office to update the City's . train staff. update the City's mobile device policy mobile device policy by March 30, 2018. by June 30, 2017. 4.2 City Manager's Office Concur. The Budget Consistent with IRS Open Assign responsibility for and Finance Technical Guidelines, review of mobile device Department will work "the IRS will treat the usage to ensure devices with the City value of any personal are used appropriately Manager's Office to use of a cell phone for business purposes. update the city's provided by the mobile device policy employer primarily for and assign noncompensatory responsibility for business purposes as monitoring usage by excludable from the June 30, 2017. employee's income as a de minimis fringe benefit." The CMO will work with Budget and Finance to revise FAP No. 4 consistent with the IRS Technical Guidelines by March 30, 2018. Departments are responsible for issuance of devices required by job duties. 4.3 CMO Assign responsibility Concur. The City The CMO will work with Open for the cancelation or Manager's Office will Budget and Finance to suspension of services for assign responsibility for revise FAP No. 4 to mobile devices not cancelation or assign the responsibility being used. suspension of services for management of for mobile devices not devices, including being used by March cancelation or 31, 2017. suspension of services for mobile devices not being used, to Department Directors by March 30, 2018. 4.4 CMO Work with City Concur. The Budget The CMO will work with Open departments to clarify and Finance Budget and Finance to their mobile device roles Department will work revise FAP No. 4 to and responsibilities. with the City assign the responsibility Manager's Office to for management of update the City's devices to Department mobile device policy Directors by March 30, and define roles and 2018. responsibilities by June 30, 2017. 5.1 Budget and Finance Concur. The Budget The Budget and Open Review existing WSCA and Finance Finance Department City Auditor's Office 4 Mobile Device Audit Follow-up City Auditor's Office 5 Mobile Device Audit Follow-up contracts or issue an RFP Department will review will review the existing to ensure cost-effective the existing WSCA WSCA contracts or mobile device services contracts or issue an issue an RFP for wireless are provided. RFP for wireless service service by March 30, by June 30, 2017. 2018. 5.2 Budget and Finance Concur. The Budget The Budget and Open consider consolidating and Finance Finance Department providers and institute Department will work will work with the CMO citywide standards for with the CMO to to review mobile voice and data plans, review mobile device device standards for equipment and standards for equipment and plans accessories. equipment and plans as part of the update as part of the update of FAP No. 4 by March of FAP 4 by June 30, 30, 2018. 2017. 5.3 Budget and Finance Concur. The Budget The Budget and Open Review and update FAP and Finance Finance Department No. 4 regarding Department will work will work with the CMO responsibility for with the CMO to to update the City's managing mobile update the City's mobile device policy device contracts, as mobile device policy by March 30, 2018. appropriate. b June 30, 2017. 5.4 CMO assign responsibility Concur. The CMO will The CMO will work with Open for requesting and work with the Budget Budget and Finance to reviewing mobile device and Finance revise FAP No. 4 to vendor optimization Department to update assign the responsibility reports. the City's mobile for management of device policy and devices to Department assign responsibility for Directors by March 30, reviewing optimization 2018. reports by June 30, 2017. 5.5 CMO develop controls to Concur. The CMO will The CMO will work with Open ensure only authorized work with the Budget Budget and Finance to employees are granted and Finance revise FAP No. 4 to access to mobile device Department to update assign employees vendor account the City's mobile authorized to have information. device policy and access to mobile develop reasonable device vendor account controls by June 30, information. 2017. Additionally, Materials Management will contact the mobile device vendors to ensure only authorized employees have access to online accounts. These items will be completed by March 30, 2018. 6.1 Budget and Finance Concur. The Budget The Budget and Open analyze and update and Finance Finance Department City Auditor's Office 5 Mobile Device Audit Follow-up City Auditor's Office 6 Mobile Device Audit Follow-up allowance criteria and Department will work will work with the CMO amounts, as applicable. with the CMO to to update the City's update the City's mobile device policy mobile device policy including updating including updating allowance policies and allowance policies and procedures by March procedures by June 30, 30, 2018. 2017. 6.2 Budget and Finance Concur. The Budget The Budget and Open Review and update and Finance Finance Department mobile device Department will work will work with the CMO allowance policies and with the CMO to to update the City's procedures. update the City's mobile device policy mobile device policy including updating including updating allowance policies and allowance policies and procedures by March procedures by June 30, 30, 2018. 2017. 6.3 City Management Concur. The CMO will The CMO will work with Open consider provision of work with the Budget the Budget and device allowances in lieu and Finance Finance Department to of City -owned devices, Department to update update the City's as applicable, to the City's mobile mobile device policy enhance efficiencies device policy and and consider revising and cost-effectiveness. consider revising device allowance device allowance guidelines by March guidelines by June 30, 30, 2018. 2017. 6.4 Human Resources Concur. HR has been This has been Closed Develop controls to requiring proof of a communicated verbally ensure proof of a device device for the $100 to HR staff in February is attached to a PA. and $75 allowances, 2017 and reminded with but not the $40 an email dated allowance. We will November 15, 2017. develop an additional control by not No formal written processing any procedures have been allowances unless the developed at this PA has the proof of point. This will be device attached. HR accomplished with the will also be changing implementation of the payout of cell SimpliCity next year. phone allowances from monthly to bi- weekly. This is how all other additional pays are processed. This change will reduce the amount of overpayments due to errors. City Auditor's Office 6 Mobile Device Audit Follow-up 6.5 HR Human Resources Concur. Controls are This has been Closed Develop controls to already in place to communicated verbally ensure device ensure device to HR staff in February allowances terminate on allowances are 2017 and reminded with the last day an terminated. When the an email dated employee physically termination PA is November 15, 2017. works. received from the department, an end No formal written date is entered into the procedures have been PeopleSoft system developed at this based on the point. This will be termination date. The accomplished with the two individuals noted in implementation of the report, however, SimpliCity next year. terminated their employment but returned as temporary within the same week. Going forward, HR will automatically end the cell phone allowance upon termination and will request that another PA be submitted by the department should they wish to continue the cell phone allowance. 6.6 HR Update HR device Concur. HR will update HR Policy 301 Closed allowance policies. Policy 301. We will references FAP No. 4 - change the policy to City -Paid Mobile indicate that Electronic Devices or allowance amounts Reimbursement. Once and required Budget and Finance documentation are updates their website included in the FAP No. and the location of the 4 - City -Paid Mobile forms is known, we will Electronic Devices or include a link in HR Reimbursement and Policy 301 during our include the actual link next policy updates. to the FAP and forms. 7.1 Budget and Finance Concur. The Budget The Budget and Open review and update FAP and Finance Finance Department No. 4, including Department will will update FAP No. 4 clarification that receipt update FAP No. 4 to to clarify that receiving of both a device clarify that receiving both a device and an allowance and City- both a device and an allowance is prohibited owned device is allowance is prohibited by March 30, 2018. prohibited. by March 31, 2018. 8.1 Innovation and Concur. IT will work with All technology, Closed Technology develop the CMO and Finance hardware and software City Auditor's Office 7 Mobile Device Audit Follow-up City Auditor's Office 8 Mobile Device Audit Follow-up controls to ensure City- to require IT approval purchases shall be owned Wads and tablets and purchase on all approved by IT, as are approved prior to City owned tablets and required in Technology purchase, tagged and Wads prior to purchase Replacement Fund recorded in the TRF (as to ensure they are Procedure, Section 3-d. applicable) and tagged and tracked. monitored. Management response 1.1 has a date of June 30, 2017. 9.1 Innovation and Concur. IT is currently The Mobile Device Closed Technology review and updating its policies Policy was updated on update IT policies and procedures to November 17, 2017. relating to mobile include mobile devices devices on an ongoing and will be based basis so they remain upon the citywide current and train staff. policy developed by City leadership. Target completion date is Au ust 31, 2017. City Auditor's Office 8 Mobile Device Audit Follow-up